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PACKET FILTERING IN 
CONNECTION-BASED SWITCHING 
NETWORKS 



FIELD OF THE INVENTION 

This invention relates to communication networks, and, 
more particularly to apparatus and methods for filtering 
packets in a connection-based switching network that 
includes a shared-media subnetwork. 

BACKGROUND OF THE INVENTION 

As businesses have realized the economic advantages of 
sharing expensive computer resources, cabling systems 
(including wireless cabling systems) have proliferated in 
order to enable the sharing of such resources over a com- 
puter network. A network for permitting this communication 
may be referred to as a local area network or "LAN." LAN 
refers to an interconnection data network that is usually 
confined to a moderately-sized geographical area, such as a 
single office building or a campus area. Larger networks are 
often referred to as wide area networks or "WANs." 

Networks may be formed using a variety of different 
interconnection elements, such as unshielded twisted pair 
cables, shielded twisted pair cables, coaxial cable, fiber optic 
cable or even wireless interconnect elements. The configu- 
ration of these cabling elements, and the interfaces for the 
communication medium, may follow one (or more) of many 
topologies, such as star, ring or bus. In addition, a number 
of different protocols for accessing the networking medium 
have evolved.. For example, the Institute of Electrical and 
Electronics Engineers, IEEE, has developed a number of 
standards for networks, including IEEE 802.3 relating to 
Ethernet buses using carrier sense multiple access and 
collision detection, IEEE 802.4 relating to token buses using 
token passing and IEEE 802.5 relating to token ring net- 
works using token passing. The American National Stan- 
dards Institute (ANSI) has also developed a standard for 
fiber distributed data interface (FDDI) using multiple token 
passing. 

As demand has grown, communication networks have 
gotten bigger and bigger. Eventually, the number of stations 
on the network use up the available bandwidth for that 
network, or approach limits imposed by the physical 
medium employed. In addition, it is often desirable to 
combine two existing networks into one larger network. 
Accordingly, methods and apparatus for connecting two 
separate networks have developed. One such method 
involves the use of a bridge. 

Generally, a "bridge" refers to a link between (at least) 
two networks. Thus, when a bridge receives information on 
one network, it may forward that information to the second 
network. In this fashion, two separate networks can be made 
to function as one larger network. 

FIG. 1A illustrates one example of networks being inter- 
connected. A first network NW 1 is shown as a network 
cloud NW1. End station ESI is located within that network. 
Similarly, the figure illustrates a second network NW2 
containing a second end station ES2; a third network NW3 
containing a third end station ES3; and a fourth network 
NW4 containing a fourth end station ES4. 

In FIG. 1A, the four networks NW1, NW2, NW3 and 
NW4, are interconnected using a shared media network F. 
(As discussed in more detail below, information on a shared 
media network is made available to all switches on that 
network.) The strategy for connecting networks NW1-NW4 
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in the topology of FIG. 1A uses a backbone." That is, a 
separate network is disposed between each of the existing 
networks NW1-NW4. Communication traffic between the 
networks, therefore, is sent over the network backbone F. In 
the illustration, shared media network F is an FDDI token 
ring. Since shared media network F (or any of networks 
NW1-NW4) constitutes a communication network within a 
larger communication network, shared- media network F 
may also be referred to as a subnetwork. 

Interconnections may be achieved using switches SI, S2, 
S3 and S4. The switch SI may include two components. The 
FDDI components F1-F4 process and manage communica- 
tions over the FDDI ring F, according to methods known in 
the art. The bridging components B1-B4 manage the bridg- 
ing of traffic from the networks NW1-NW4 to the FDDI 
ring F, and vice-versa. 

Bridging strategies are well known in the art, and are the 
subject of a standard promulgated by the IEEE, IEEE 802.1, 
concerning transparent or self- learning bridges. A useful 
background discussion of bridges can be found in Radia 
Perlman, Interconnections: Bridges and Routers^ Edison 
Wellesley Professional Computing Series, Reading, Mass. 
(1992), To aid in understanding the present invention, a 
discussion of transparent bridges follows. This discussion is 
not intended to limit the scope or application of the present 
invention and claims. 

One possible strategy for connecting two networks with a 
bridging board would be for the bridging board to forward 
all communications (often referred to as "packets" or "data 
packets" — both of these terms, as used in the specification 
and the claims, are intended to include traditional data 
packets and their functional equivalents, such as "cells," 
"datagrams," or the like) to all other networks connected to 
that board. For example, whenever a communication is sent 
from end station ESI, that communication would be for- 
warded via the shared media subnetwork F to each of the 
other networks NW2, NW3 and NW4, regardless of who is 
the intended recipient. In this fashion, the shared-media 
subnetwork F would serve to combine the four networks 
NW1-NW4 as though they were only one network. 
Unfortunately, the duplication of every message sent on the 
network would quickly clog up the available bandwidth on 
each of the networks. 

To address this problem, it would be possible to program 
each bridging board with the location of each station on each 
network. In this way, every communication could be routed 
to the appropriate network. This is a viable option as 
discussed below for connection-based networks; however, it 
may require replacement of existing network hardware, al 
additional expense. 

Another alternative is to have a bridging board watch 
traffic across the board in order to learn the location, of each 
end station, as communications are made over the network. 
In this fashion bridges could be simply plugged into net- 
works and left on their own to learn the proper connections 
to be made. This type of bridge is often referred to as a 
"transparent" bridge or "self- learning" bridge. 

FIG. IB illustrates an example of end station ESI sending 
a packet to end station ES2. Each packet of information 
includes a unique identifier that indicates the source station 
and destination station for the packet. In this example, the 
source address would be a unique address (such as a media 
access control, or "MAC address) for ESI and the desti- 
nation address is a unique identifier for ES2. In the example, 
the packet is first sent from network NW1 to the backbone 
switch SI, as indicated at 12a. From this packet, bridging 
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component Bl learns thai end station ESI is located off of vention of a host CPU or other element implementing the 
its network port, as indicated in the first two columns of the switching functions of the device. The host CPU for the 
table illustrated at Tl. switch may then process more sophisticated procedures or 
A function of the bridging components B1-B4 is to functions while the BAF table and,mechanism in-line filter 
remove (i.e., refuse to forward or "filter") data traffic that 5 unwanted packets — preventing these packets from swamp- 
should not be sent to an attached network. In the present ing the host CPU. As a result, however, existing hardware 
example, when bridging component Bl determines that end and software for a switch may apply filtering based on 
station ESI lies off of its network port, it should not filter entries in the BAF table, without providing any opportunity 
subsequent traffic to network NW1— if that traffic has a for implementing a more sophisticated filtering scheme on 
destination address corresponding to end station ESI. *o the host CPU. 

Accordingly, a filter entry of the table Tl indicates that The network described above employs a destination 

traffic to end station ESI should not be filtered. address-based form of switching. That is, the decision of 

Because the destination address of the packet (which where to route a packet is based on the destination address 

corresponds to end station ES2) is not present in the table for that packet. Most existing network topologies employ 

Tl, bridging co mponentBl forwards the packet to the FDDI 15 destination address-based procedures for determining the 

ring F. As indicated at 126, the FDDI component Fl for- flow of communication packets. Accordingly, when a switch 

wards the packet along the FDDI ring. Because the bridging receives a packet with a given destination address on a 

component B2 is not aware of where end station ES2 is particular port, that switch will always handle the packet in 

located, the bridging component B2 forwards the packet the same manner— filtering the packet or forwarding the 

onto network NW2, as indicated at 12c. In addition, bridging 20 packet to the same port, as determined, for example, by the 

component B2 learns from the source address for the packet BAF tables or their equivalents. 

that end station ESI is located of! of the FDDI port. The network described above also includes a shared 

Accordingly, bridging component B2 should filter any future media network F. In a shared media network, switches or 

traffic received on the FDDI port and destined to ESI. Thus, end stations may be exposed to communication traffic not 

bridging component B2 creates a table T2 that identifies end 25 intended for that switch or end station. For example, a bus, 

station ESI as connected off of its FDDI connection (the such as a conventional ethernet network, employs a shared 

FDDI port), and indicating in the filter column that future media topology. Similarly, a conventional FDDI ring may be 

traffic destined to end station ESI should be filtered from viewed as a shared media topology — each station or switch 

network NW2. located on the FDDI ring is exposed to all traffic that is 

Meanwhile, FDDI component F2 forwards the packet on 30 present on the ring. As described above, shared media 

its FDDI connection, as indicated at 12e. Switches S3 and S4 networks also may require some way of filtering packets not 

process the packet in a similar manner as switch S2. As intended to cross that switch. 

indicated at 12/, the packet is again forwarded to FDDI Most currently implemented networks follow a destina- 
component Fl. Since Fl initiated this packet on the FDDI tion address-based scheme and include shared-media net- 
ring F, FDDI component Fl terminates the packet. works. An alternative, which is gaining increased 

FIG. 1C illustrates what happens when end station, ES3 acceptance, is to employ connection-based networking, 

then sends a packet to end station ESI. The packet is first i n a connection-based network, a specific path may be 

forwarded from the network N\V3 to the switch S3, as selected through the network for a given data packet. Thus, 

indicated at 13a. As before, bridging component B3 learns 4Q eacn packet follows a specific route or "connection" through 

that end station ES3 is located off its network port. the network. For example, the packet itself could specify a 

Accordingly, an entry is made in the table T3 indicating that route through switches on the network. Alternatively, the 

end station ES3 is off of the network port and that commu- source address (in combination with the destination address) 

nications destined to end station ES3 should not be filtered. f or a packet could be used to identify a path through the 

As before, the FDDI component F3 will forward the 45 switches. In this case, each source address/destination 

packet to FDDI component F4. because the destination address pair could be used to uniquely identify a path 

address for the packet is end station ESI, and there is an through the communication network and each switch would 

entry in the able T4 indicating that packets with a destination know how to handle a packet corresponding to each source 

address of ESI should be filtered, this packet filtered at address/destination address combination that has a connec- 

bridging component B4 and not forwarded to network NW4. 50 tion passing through that switch. Assignment of the path 

FDDI component F4 forwards the packet to FDDI com- through the network could be done either through a central 

ponent Fl, as indicated at 13c. Bridging component Bl management site or through a distributed mechanism for 

refers to its table Tl. End station ESI is a known destination determining a connection path for each source address/ 

address and is not a filter entry. Accordingly, the packet is destination address pair that corresponds to a communica- 

forwarded onto network NW1, as indicated at 13d. 55 tion path that is currently being used. 

As indicated at 13^ the packet is also forwarded to FDDI U.S. Pat. No. 5,485,455 issued Jan, 16, 1996, illustrates a 
component F2. As before, this packet is filtered from net- particularly advantageous embodiment of a connection- 
work NW2, and bridging component B2 also learns that end based network, using a centralized management agent to 
station ES3 lies off of its FDDI port — thus, future commu- establish the mapping of destination address/source address 
nications to end station ES3 should also be filtered. 60 pairs to a communication path. U.S. patent application Ser. 

The table located at each switch (es, tables T1-T4) may No. 08/626,596, filed Apr. 2, 1996, which is now U.S. Pat. 
be implemented as a bridge ASIC filter table or bridge No. 5,825,772, and commonly owned, discloses a particu- 
address filter table ("BAF" table). A BAF may be imple- larly advantageous connection-based networking system 
mented as a separate special-purpose hardware or software employing distributed determination of communication 
mechanism. A purpose of the BAF is to permit automatic 65 paths through the switched network. Each of the above- 
filtering of packets. That is, the packet may be automatically identified patents and applications are hereby incorporated 
filtered (or "in-line" filtered) when received — without inter- by reference in their entirety. 
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Connection-based networks offer an opportunity to FIG. 7 illustrates one embodiment of a method for unpro- 

improve network efficiency (i.e., the effective bandwidth of gramming a connection in a shared-media subnetwork 

the network) and to provide additional services to network switch, according to the present invention, 

users. Accordingly, many network administrators would like FIG. 8 illustrates one embodiment of a method according 

to implement connection-based networking systems. 5 to the present invention for receiving and filtering packets on 

Unfortunately, replacing existing destination-based hard- a shared-media subnetwork switch, 

ware and software components, including shared-media FIG. 9A illustrates an example of forwarding and filtering 

network infrastructure, in order to implement connection- packets according to the embodiment of the invention shown 

based network topologies can be an expensive proposition. in FIG 8 

Accordingly, there is a great need for a method and appa- 10 FIG ' , B Wdes a e , e of flUerin connec . 

raws unhang existing destination-based components and ^ accordi , 0 the method of FIG „ 

shared media networks in a connection-based scheme, pret- „, „ .„ ^ . . . . . 

erably in a way that permits efficient filtering of packets in FIG /. 9C , '^ strat ^ ■ , ,h ^*T P 8 P 

a shared-roedia subnetwork. Such a method and apparatus accordin S 10 the method of 8 - 

could, for example, permit an existing shared media network is DETAILED DESCRIPTION 

to be integrated into a newer connection-based networking . 

scheme While the preferred embodiment is described in the 

context of an FDDI subnetwork and filtering using a BAF 

SUMMARY OF THE INVENTION table, this is not intended to be limiting. Application to other 

According to one embodiment of the invention, a method 20 sha ^ d media netw ' odcs and other mt ? rin S mechanisms is 

for filtering a plurality of packets received by a switch me ""I* of the P resent invention, 

having a set of known connections isprovided. According to FIG. 2 illustrates one embodiment of a switch S. The 

this method, information on known connections for the switch S includes two communication ports 22 for receiving 

switch is maintained and packets that do not correspond to and sending data on an FDDI token network. An FDDI 

one of the known connections are filtered. 25 component 21 is provided to control communication over 

According to another embodiment of the invention, a * e FDDI network Two network ports 26 are also provided, 

method for routing a packet through a connection-based f orts ™»f channel commutation to one or two 

network that includes a shared-media subnetwork is pro- networks coupled to this switching board S. A CPU 23 is 

vided. According to the method, the packet is routed through P r0Vlded to switching and filtering of packets 

a switch on the shared-media network and filtered on 30 between any network connected via a port 26 and the FDDI 

another switch on the shared-media network. connected via ports 22. A command port 24 is 

. .. ~ , . . included for downloading commands to control the function 

According to another embodiment of the invent™, a rf ^ ^ s ialized hardware 25 also ta M 

method of using a switch in a connection-based communi- Such hardware ^ ; lement the BAF taWe ^ 

cation netwoik is provided. According to this embodiment, ^ ^ fi a rommunicalion received via the mm 

a path through the neKvork is ; identified; packets are for- nent 21 from being forwarded to the network attached 

warded according to the identified path; and a packet that r . ~ c , , 4 . r , DAr 

6 , , ._, .„ \ , • a, via one of the ports 26. In one embodiment, specialized BAF 

does not correspond to the identified path is filtered. , , netii* ■ • *u * • • *u 

v v hardware 25 filters this communication without requiring the 

According to another embodiment of the invention, a intervention (after an entry has been made in the BAF table) 

switch for a connection-based communication network is of any software pr0 gram located on the CPU 23. In this 

provided. The switch includes two communication ports, embodiment, the processing of the CPU 23 does not get 

means for maintaining information on a set of known overloaded by an extremely high volume of communication 

connections, means for forwarding packets corresponding to data Qn the snared _ media FDDI network. 

one of the known connections, and means for filtering Uge of ^ hardware of nG 2 ifl a connection . based 

packets that do not correspond to one of the known con- ^ aetwork ^ be difficult Use Qf ^ fiAF hardware fe 

nections. desirable due to its efficiency in filtering unwanted packets 

BRIEF DESCRIPTION OF DRAWINGS and to the fact that it exists in many components of existing 

FIG. 1A illustrates a sample communication network. ^sterns. It is not readily apparent, however, how BAF 

^ „ M1 . t if i * u • * c hardware for destination address-based networking systems 

FIG. IB illustrates an example of a packet beuig sent from can ^ ^ a ^^.^ networking system. This 

end station ESI to end station ES2 on the network of FIG. ^ am ^ eMi by me fac| that tbe BAF hardware may filter 

* ^. ti r. or otherwise process packets received, prior to intervention 

FIG.lCiUustrates an example of a packet bemg sent from b ^ cpu ^ complicates the ability t0 address the 

end station ES3 to end station ESI on the network of FIG. problem by downloading connection-based software to the 

1B - 55 CPU. If a packet is handled exclusively by the BAF 

FIG. 2 illustrates an embodiment of a switch for a hardware, the CPU will not be given an opportunity to 

com munication network, process the packet according to a connection-based network - 

FIG. 3 illustrates one embodiment of a method for filter- jug scheme, 

ing packets on a shared-media subnetwork of a connection- According to one embodiment of the invention, the 

based network. 60 connection-based switching mechanism is resident on the 

FIG. 4 illustrates an example according to the method of CPU for the applicable switch. This switch may be imple- 

FIG- 3 - mented as disclosed in U.S. Pat. No. 5,485,455 to K. 

FIG. 5 illustrates a communication network that includes Dobbins, et al. which issued Jan. 16, 1996. U.S. patent 

a redundant path. application, Ser. No. 08/550,630, entitled "Port-Link Con- 

FIG. 6 illustrates one embodiment of a method for pro- 65 figuration Tracking Method and Apparatus/' filed Oct. 31, 

gramming a connection in a shared-media subnetwork 1995, now U.S. Pat. No. 5,590,120, discloses particularly 

switch, according to the present invention. advantageous methods and apparatus for determining con- 
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nections in a connection-based switching network that 
includes a shared-media subnetwork. This application is 
hereby incorporated by reference in its entirety. 

In one embodiment, a connection-based networking 
scheme is used that "programs" connections between end 5 
stations before communication between those end stations 
can occur. To program a connection, a path through switches 
on the network is first identified. That path will define the 
single communication route to be used between those end 
stations (of course, in other embodiments, more than one 10 
communication route could be selected). Each switch on the 
identified path is informed (or deduces) that it is on that 
communication path and which port on that switch should 
receive packets for forwarding. 

Thus, in FIG. 1A, to program a connection between end 15 
station ESI and end station ES2, switch SI could be 
programmed to forward ES1/ES2 traffic (that is, packets 
having a source address corresponding to end station ESI 
and a destination address corresponding to end station ES2) 
to the FDDI component, and ES2/ES1 packets to the net- 
work port coupled to network NW1. Similarly, switch S2 
would be programmed to forward ES1/ES2 traffic to its 
network port coupled to network NW2, and ES2/ES1 traffic 
would be forwarded to the FDDI component. ^ 

In the above example, the ESI /ES2 connection is, 
therefore "known" to switches SI and S2, and not "known" 
to switches S3 and S4. Thus, a connection is "known" if the 
source address/destination address connection has been pro- 
grammed through that particular switch. (The present ^ Q 
description assumes that known connections are identified 
by source address and destination address. Use of other 
identifiers is, of course, feasible and within the scope of the 
present invention.) 

A "known connection table" may be implemented in order 35 
to maintain information concerning known connections. A 
known connection table may be implemented in memory 
associated with a host CPU 23 of FIG. 2, or by any other 
equivalent means. The known connection table would, 
preferably, include an identifier for the forwarding port for 40 
each source address/destination address combination corre- 
sponding to a known connection. 

Thus, an existing network switch in a destination address- 
based networking scheme may be programmed to perform 
connect ion -based switching by downloading alternative 45 
software to the CPU for that switch. As explained above, 
however, this does not resolve how to filter packets in a 
shared -media subnetwork, or how to retain the advantages 
of in-line filtering for a shared -media subnetwork. 

FIG. 3 illustrates one embodiment of a method for imple- 50 
meeting connection-based networking on a destination 
address-based switch. For reasons explained below, this 
method is useful for networks that do not include redundant 
communication paths. At a step 31, the applicable switching 
board receives a packet. At a step 32, it is determined 55 
whether the destination address for the packet is resident in 
the BAF table (with in-line filtering enabled) for this switch. 
If so, at a step 33, the packet is automatically filtered. As 
indicated at the box B, these steps may be implemented by 
the BAF hardware — without intervention from a host CPU. 60 
As is apparent from the figure, in this embodiment, the BAF 
is used only for filtering, and not for forwarding packets. 
This may be done because, in a connection-based network 
scheme, the destination address alone is not sufficient infor- 
mation for determining the forwarding port for a switch. 65 
Additional information, such as the source address or other 
routing information, needs to be examined. 



If the destination address is not present in the BAF, 
processing may be resumed by a host CPU, as indicated at 
the box H. At a step 34, it is first determined whether the 
applicable packet corresponds to a known, or programmed, 
connection. That is, does the source address/destination 
address pair indicate that the communication path for this 
connection passes through this switching board (the source 
port may also be used in determining whether a connection 
is known). If so, at a step 38, the packet is forwarded on the 
appropriate port, according to a known connection table for 
the switch. If not, at a step 35, the destination address for that 
packet is added to the BAF table. At a step 36, the source 
address is also added to the BAF table. Finally, at a step 37, 
the packet is filtered. 

Thus, steps 35 and 36 assure that all future communica- 
tions between these two end stations will be filtered by the 
BAF, and without intervention by the CPU. In a preferred 
embodiment, entries in the BAF table are removed if no 
packet has been filtered, based on that entry, over a prede- 
termined period of time. 

To program a connection, the source ports are first iden- 
tified. For example, to program the ES2-ES1 connection in 
the network of FIG. 1A, switch SI would identify the FDDI 
port as the source port for traffic to ESI, and the network 
NW1 port as the source port for traffic to ES2. After 
identifying source ports, the corresponding BAF entries are 
removed. Thus, in the above example, the entry in the BAF 
table for filtering traffic to ESI received on the FDDI port is 
removed (if any) and the entry for filtering traffic to ES2 
received on the network NW1 port is removed (if any, for 
example where another shared media network is used at 
NW1). (In the preferred embodiment described herein, com- 
munication paths or "connections" are established as two- 
way paths. That is, a packet from end station ESI to end 
station ES2 will follow the same path (in reverse order) as 
a packet from end station ES2 to end station ESI. Of course 
this is not a requirement in a connection-based network. It 
would be apparent to one of ordinary skill in the art that the 
methods and apparatus described herein could be readily 
adapted to permit programming of one-way communication 
paths.) 

FIG. 4 illustrates an example using the network illustrated 
in FIG. 1A, and after a communication path has been 
programmed for communication from end station ESI to 
end station ES2. As can be seen, each entry in a BAF table 
corresponds to communications that will be filtered. When 
packets are sent from ESI to ES2 and ES2 to ESI, switches 
S3 and S4 each program both the source address and 
destination address for the packets into their BAF tables, 
because these are not known connections. Accordingly, 
packets to and from ES2 and ESI are inline filtered at 
switches S3 and S4. Switch SI has an entry in its BAF table 
that would permit filtering of communications to ES2, when 
received on the FDDI port. When the connection is 
programmed, end station ESI is removed from the BAF 
table for switch SI and communication received at switch 
SI and destined to end station ESI will be forwarded across 
switch SI. 

The above method works well for communication net- 
works that include no redundant communication paths. That 
is, a communication for which there is exactly one commu- 
nication path between any two end stations. Such a network 
is known in the art as a spanning tree network (including 
networks with redundant communication paths, but which 
has redundant paths blocked according to the spanning tree 
algorithm known in the art). As explained below, however, 
this method may not be satisfactory when redundant com- 
munication paths are present. 
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FIG. 5 illustrates a network where there is a redundant FIG. 8 illustrates one embodiment of a method for pro- 
path in the communication network. FIG. 5 illustrates the cessing packets at a switch using the port table and filter 
network of FIG. 1A, with an additional communication link connection tables described above. The process begins at a 
from switch S4, through port 52, and to network NW1. step 80 where a packet is received by the applicable switch. 

Consider using the preceding method in the network of 5 At a ste P * is determined whether the source port/ 

FIG. 5, after programming a connection from ES2 to ESI, destination address combination for the packet meets an 

through switches S2 and SI, followed by programming a entrv in the BAF taWe * If at a step 816, the packet is 

connection from end station ES3 to end station ESI through filtered. These steps may be performed using existing BAF 

switches S3 and S4. According to the above method, when hardware for filtering. The remaining steps in the process, in 

end station ES3 sends a packet to end station ESI, switch SI 1( > a preferred embodiment, may be carried out on a host CPU, 

will be exposed to that packet— which it will determine In this embodiment, the host CPU would then determine, at 

corresponds to an unknown connection. Accordingly, switch a step 82a, whether this is a known connection. This step 

SI will add the destination address for the packet (ES3) and may be performed by examining a known connection table, 

the source address for the packet (ESI) to the BAF table, as as described above. If the connection is known, at a step $2b, 

illustrated at FIG. 3,-steps 35 and 36. As a result, future ^ &e packet is forwarded to the applicable port (again, the 

packets from ES2 to ESI, which have a connection pro- applicable port may be determined through reference to the 

grammed through switch SI, will be filtered by switch known connection table). If the packet does not correspond 

Sl_ because ESI appears in switch Si's BAF table. to a known connection, at a step 83, it is determined whether 

This problem may be addressed using a port table and a ^ P acket corresponds to a filtered connection. If there is an 

filter connection table. A port table maintains a count of the 20 entry m the filter connection table corresponding to this 

number of connections through the switch using a particular P ackel > ll f P acket ma V * fillered al & praCtl< ?> 

shared-media source port for sending packets to a particular fiUe / m g done m re *° nse t0 an * nt 7 m a B ^ filter be 

end station. Thus, the format for a row of the port table Performed using a different ^mechanism than filtering done in 

would include entries for the port that receives the packet response to an entry in the filter connection table; the former 

(the source port), the destination address for the packet and 25 ™V be filter ^ d m -JAF hardware while the latter may be 

a connection count corresponding to the number of different e ^ a ' ' 

communication paths for that destination address that use If there is no applicable entry in the filter connection table, 

that source port at a ste P > l ^ determined whether the source address/ 

A filter connection table maintains a list of connection ,„ ^P 01 * combination for the packet appears in the port 

identifiers that should be filtered by the switch, but which are 30 tablc - If »• » fillered co ° nc £! Ion 15 M f 10 ^ filter 

j*u U .u wai- _ u • .« tu *■ *p connection table at step 85. The entry, 01 course, corre- 

not filtered through the BAF mechanism. The format for a , , F . /* . . \ . 

row of the filter connection table would include entries for s ^ nds { ? source port, source address and destination 

the source port for the filtered packet, the source address for address for thc P acket received at ste P 80 ' 

the filtered packet, and the destination address for the filtered „ If the source address does not a PP ear m ^ P ort lable ' the 

packet. The filter connection table may be implemented source address ma y be added t0 the BAF » at a ste P 86 * 

separately or as a part of the known connection table. If a In addition to examining the source address at steps 84 to 

packet arrives for which there is an entry in the filter 86, steps 87 to 89 perform a similar function for the 

connection table that meets each of those three values, that destination address for the received packet. 

packet will be filtered. 40 In one embodiment, an entry in the filter connection table 

FIG. 6 illustrates a method of programming a connection is removed if no packet corresponding to that entry has been 

through a switch that uses a port table. At a step 61, it is first received by the switch over a predetermined amount of time, 

determined whether the source port for the connection is a As can be seen, this method for receiving packets at a 

shared media port. (In the disclosed embodiment, it is switch SI assumes that communications between two end 

assumed that one shared-media network is used to connect 45 stations use the same communication path independent of 

other connection-based networks. The disclosed method is the direction of the communication. It is readily apparent, 

readily adapted, however, to scenarios where more than one however, that the above procedure could be modified to 

shared -media network is attached to a switch, as would be permit different communication paths depending on the 

apparent to one of skill in the art.) If not, no entry needs to direction in which the packet is going, 

be made in the port table. If the source port is a shared-media 50 FIG. 9 A illustrates an example of communication in an 

port, at a step 62, it is determined whether the destination illustrative network, according to the above embodiment of 

address for the packet is already present in the port table. If the present invention. In this figure, a communication path 

so, at a step 64, the connection count for that entry is has been programmed from end station ESI to end station 

increased. This indicates that an additional connection is ES2 via switches SI and S2. After the exchange of ES2-ES1 

using that port as a source port to transmit to that destination 55 packets on the network, the BAF table for switch SI has an 

address. If, at step 62, it is determined that the destination entry corresponding to filtering packets sent to end station 

address/source port is not in the port table, then, at a step 63, ES2, when the packet is received via the FDDI port. The port 

a new row is created for the port table, and a connection table for switch SI will include an entry identifying the fact 

count of 1 is assigned. The process then returns (step 63). that packets destined to end station ESI from the FDDI port 

Any entry in the filter connection table that corresponds to 60 will be sent — the connection count is now one since one 

the programmed connection may similarly be removed. connection (from ES2 to ESI) passes through this port to 

FIG. 7 illustrates how a connection can be unprogrammed this end station, 

for a switch. At a step 71, the connection count for the FIG. 9B illustrates the BAF tables, port tables and filter 

applicable source port/destination address combination is connection tables for the network of FIG. 9A, after a 

decreased by 1. If the new connection count is determined 65 connection has been programmed from ESI to ES3 via 

to be a 0, at a step 72, then that row is removed from the port switches S4 and S3 and packets have been sent on that path, 

table, at a step 73. The process then returns (step 74). In similar fashion to FIG. 9 A, entries in port tables are added 
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at switches S4 and S3, corresponding to the newly pro- 
grammed connection. According to the method described 
above, the programming of switch S4 includes both the 
removal of end station ESI from the BAF table for switch 
S4 and the creation of the port table entry at switch S4. The 5 
filter connection for switch S4, corresponding to a source 
port of the FDDI port, a source address of ES2 and a 
destination address of ESI, would result in the filtering of all 
future ES2-ES1 traffic, but without resulting in the filtering 
of future ES3-ES1 traffic. 1Q 

FIG. 9C illustrates what happens when, in the network of 
FIG. 9B, a connection from end station ESS to end station 
ESI is programmed and ES5-ES1 packets have been sent. 
As illustrated, the connection count of the port table for 
switch SI is increased. This indicates that two connections 
now use the FDDI port as a source port to send packets 15 
having a destination address of ESI. 

Having thus described at least one illustrative embodi- 
ment of the invention, various modifications and improve- 
ments will readily occur to those skilled in the art and are 2Q 
intended to be within the scope of the invention. 
Accordingly, the foregoing description is by way of example 
only and is not intended as limiting. The invention is limited 
only as defined in the following claims and the equivalents 
thereto. 25 

What is claimed is: 

1. A method of filtering a plurality of packets received by 
a switch having a set of known virtual connections, and the 
switch further having a fast port coupled to a shared-media 
subnetwork of a connection-oriented communication 3Q 
network, the set of known virtual connections being pro- 
grammed through the shared media subnetwork, and a 
second port, the method comprising the steps of: 

storing information on the set of known virtual connec- 
tions for the connection-oriented communication net- 35 
work for the switch; 

forwarding a packet, corresponding to one of the known 
virtual connections from the first port to the second 
port, wherein the one of the known virtual connections 
is programmed through the shared-media subnetwork; 40 
and 

selectively in-line filtering one of the packets, received by 
the switch on the first port, that does not correspond to 
one of the set of known virtual connections, wherein 
the step of selectively in-line filtering comprises the 45 
steps of: 

maintaining an in-line filter table based on a plurality of 
destination addresses corresponding to packets to be 
filtered; and 

for one of the packets that does not correspond to one 50 
of the known connections, adding an entry to the 
in-line filter table corresponding to a destination 
address for that packet. 

2. The method of claim 1, wherein the step of selectively 
in-line filtering further comprises the step of: 55 

adding an entry to the in-line filter table corresponding to 
a source address for a received packet that does not 
correspond to one of the known connections. 

3. The method of claim 1, further comprising the step of: 
selectively filtering one of the packets based on which 60 

port that packet was received by the switch, a destina- 
tion address for that packet and a source address for that 
packet. 

4. The method of claim 1, wherein the shared-media 
subnetwork comprises an FDDI token ring network. 65 

5. A method of filtering a plurality of packets received by 
a switch having a set of known virtual connections, and the 
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switch further having a first port coupled to a shared media 
subnetwork of a connection-oriented communication 
network, the set of known virtual connections being pro- 
grammed through the shared media subnetwork, and a 
second port, the method comprising the steps of: 

storing information on the set of known virtual connec- 
tions for the connection-oriented communication net- 
work for the switch; 
forwarding a packet, corresponding to one of the known 
virtual connections from the first port to the second 
port, wherein the one of the known virtual connections 
is programed through the shared-media subnetwork; 
selectively in-line filtering one of the packets, received by 
the switch on the first port, that does not correspond to 
one of the set of known virtual connections; and 
maintaining, for at least one destination address that has 
a known connection through the switch using the first 
port as a source port, a count of the number of con- 
nections for that destination address which the flirt port 
as a source port. 

6. The method of claim 5, wherein the step of selectively 
in-line filtering comprises the steps of: 

maintaining an in-line filter table based on a plurality of 
destination addresses corresponding to packets to be 
filtered; and 

for one of the packets that does not correspond to one of 
the known connections, adding an entry to the in-line 
filter table corresponding to a destination address for 
the received packet, if the destination address for the 
received packet does not have a connection count of 
more than zero. 

7. The method of claim 6, further comprising the steps of: 
maintaining a filter connection table that includes entries 

designating packets to be filtered; 

for one of the packets that is received on the first port and 
does not correspond to one of the known connections, 
adding an entry to the filter connection table corre- 
sponding to that packet, if a destination address for that 
packet has a connection count using the first port of 
more than zero; and 

filtering any packet received by the switch that has a 
corresponding entry in the filter connection table. 

8. A switch for a connection-oriented communication 
network, the switch being coupled to a shared -media 
subnetwork, comprising: 

a first port; 
a second port; 

means for storing information on a set of known 
connection -oriented virtual connections for the switch; 

means, coupled to the first port, the second port and the 
means for storing, for forwarding a first packet corre- 
sponding to one of the known virtual connections from 
the first port to the second port, wherein the one of the 
known virtual connections is programmed through the 
shared-media subnetwork; and 

means, coupled to the first port and the second port, for 
in-line filtering a packet received on the first port, when 
the packet does not correspond to one of the known 
virtual connections, wherein the means for selectively 
in-line filtering comprises: 

means for maintaining an inline filter table based on 
destination addresses of a plurality of packets to be 
filtered; 

means for adding an entry to the in-line filter table 
corresponding to the destination address of a 



06/21/2004, EAST Version: 1.4.1 



US 6,510,151 Bl 



13 



14 



15 



20 



received packet that does not correspond to one of 
the known connections. 

9. The switch of claim 8, wherein the means for filtering 
further comprises: 

means, coupled to the first port, for selectively filtering 5 
one of the packets based on the port on which that 
packet was received by the switch, the destination 
address for that packet and the source address for that 
packet. 

10. The switch of claim 8, further comprising an FDDI 10 
component, coupled to the first port, to manage communi- 
cation over an FDDI token ring's network. 

11 . The switch of claim 8, wherein the means for selec- 
tively in-line filtering further comprises: 

means for adding an entry to the in-line filter table 
corresponding to the source address for the received 
packet. 

12. A switch for a connection-oriented communication 
network, the switch being coupled to a shared-media 
subnetwork, comprising: 

a first port; 
a second port; 

means for storing information on a set of known 
connection -oriented virtual connections for the switch; 25 

means, coupled to the first port, the second port and the 
means for storing, for forwarding a first packet corre- 
sponding to one of the known virtual connections from 
the first port to the second port, wherein the one of the 
known virtual connections is programmed through the 30 
shared-media subnetwork; 

means, coupled to the first port and the second port, for 
in-line filtering a packet received on the first port, when 
the packet does not correspond to one of the known 
virtual connections; and 

means for maintaining, for each destination address of the 
known connections that uses the first port as a source 
port, a count of the number of known connections for 
that destination address which use the first port as a 4Q 
source port. 

13. The switch of claim 12, wherein the means for 
selectively in-line filtering comprises: 

means for maintaining an in-line filter table based on the 
destination addresses of the packets to be filtered; and 45 

means for adding an entry to the in-line filter table 
corresponding to a destination address of a packet 
received by the switch and not corresponding to one of 
the known connections, if the destination address for 
the packet does not have a connection count of more 50 
than zero. 

14. The switch of claim 13, further comprising: 
means for maintaining a filter connection table that 

includes entries designating packets to be filtered; 

means for adding an entry to the filter connection table 55 
that corresponds to a packet received by the switch and 
not corresponding to one of the known connections, if 
the destination address for the packet has a connection 
count of more than zero; and 

means for filtering any packet received having a corre 
sponding entry in the filter connection table. 

15. A method of programming a virtual connection for a 
packet in a connection-oriented network, the connection 
passing through a shared media subnetwork that includes a 65 
switch, the virtual connection passing from a source port of 
the switch through a destination port of the switch, the 
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source port being coupled to the shared media subnetwork of 
the connection-oriented network, the method comprising the 
step of: 

programming a virtual connection through the 
connection-oriented communication network, the vir- 
tual connection passing through the shared-media 
subnetwork, the programming step including a step of 
disabling filtering of the packet when it is received on 
the source port of the switch. 

16. The method of claim 15, wherein: step of disabling 
comprises the step of disabling in-line filtering of the packet 
when it is received on the source port of the switch, 

17. The method of claim 16, wherein: 

the packet is sent from a first end station to a second end 
station, the second end station having a destination 
address; and 

the step of disabling comprises the step of removing an 
entry corresponding to the destination address and 
source port from an in-line filter table for the switch. 

18. The method of claim 15, wherein: 

the step of disabling comprises the step of removing an 
entry corresponding to the connection being programed 
from a filter connection table for the switch. 

19. A method of using a switch, having a first port and a 
second port, in a connection-oriented communication net- 
work for forwarding a plurality of packets, one of the 
packets being sent from a first end station on the connection- 
oriented network to a second end station on the network, the 
method comprising the steps of: 

identifying a virtual path through the network for one of 
the packets to be transmitted through the network from 
the first end station to the second end station, the 
identified virtual path passing through a shared media 
subnetwork that includes the switch; 

forwarding the one of the packets, being sent from the first 
end station to the second end station, from the first port 
of the switch to the second port of the switch, according 
to the identified virtual path; and 

selectively filtering one of the packets, received by the 
switch, that is not being transmitted from the first end 
station to the second end station defined by the virtual 
path. 

20. The method of claim 19, wherein the first port is on 
a shared-media subnetwork and the step of selectively 
filtering includes the step of selectively filtering one of the 
packets received by the switch on its first port. 

21. The method of claim 20, wherein the step of filtering 
comprises the step of: 

selectively in-line filtering one of the packets. 

22. The method of claim 21, wherein the step of selec- 
tively in-line filtering includes the step of selectively in-line 
filtering one of the plurality of packets, based on the port on 
which that packet was received by the switch and a desti- 
nation address for the packet. 

23. The method of claim 22, further comprising the step 
of: 

selectively filtering one of the packets based on the port 
on which that packet was received by the switch, the 
destination address for that packet and the source 
address for that packet. 

24. The method of claim 22, wherein the shared-media 
subnetwork includes an FDDI token ring network. 



06/21/2004, EAST Version: 1.4.1 



UNITED STATES PATENT AND TRADEMARK OFFICE 

CERTIFICATE OF CORRECTION 



PATENT NO. : 6,510,151 Bl Page 1 of 1 

DATED : January 21, 2003 

INVENTOR(S) : Jeffrey Cioli and Jason DiPietro 



It is certified that error appears in the above- identified patent and that said Letters Patent is 
hereby corrected as shown below; 



Column 11, 

Line 29, should read: 
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Column 12, 

Line 1, should read: 

-- switch further having a first port coupled to a shared-media ~ 
Lines 20-21, should read: 

- nections for that destination address which use the first port - 
Line 63, should read: 

-- means for maintaining an in-line filter table based - 
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